I have a client who wants to keep employees from bringing in devices that can attach to his network, and download company data. He only has 4 computers attached. The “server” is a windows 7 and he needs to attach 3 xp computers. I was trying to limit attachment to the windows 7 with firewall rules, but they don’t seem to work very well. So I wondered if I used a subnet mask if I could reduce his available ip addresses so there would be no connection available to any extra devices. So if his router is 192.168.2.1 and I changed the subnet mask from 255.255.255.0 to 255.255.255.248, what ip addresses would be available? I’ve been reading tutorials, but I’m getting tired and the info is just not making it into my brain. If the answer is 192.168.2.2 thru 192.168.2.8, could I still allow the router to dhcp with a submask of 255.255.255.0 and only allocate ip addresses from 192.168.2.150 thru 160 so that the internet would work, but they just would not see the server?

I think upgrading the clients to Windows 7 and joining them to a homegroup would be a decent solution as well, if he's willing to shell out for that. Employees would be able to view the homegroup password, don't know if that would be an issue.

How are the employees attaching devices to the network? You might consider approaching it from that side, rather than restricting at the server, since it's such a small environment.

In this scenario, limiting the number of IP addresses available doesn't help if any of the legit PCs or network infrastructure are physically accessible to the people he's trying to guard against. Someone could simply power off one of the existing PCs or disconnect a network cable, and temporarily use that PC's IP address. MAC addresses can be spoofed too, so implementing MAC address filtering isn't a solution either.

Also, what's to stop someone from just plugging a thumbdrive into one of the existing PCs and copying the data? (Is he able to restrict physical access or ensure the screen is locked whenever a trusted employee is not present?)

Definitely seems like the wrong solution to the problem. In this case a MAC filter list may help, assuming the workers don't know how to spoof the legit ones.

Proper access control with a domain controller or some other system (like applying encryption and/or rights management to documents) seems more proper. And yes, USB sticks already present a problem, are you going to superglue all the ports now?

BTW, if it is such a small company, IMO this should be the better approach:1. Hire carefully2. Treat the employees well, so they won't do **** like this.

The Model M is not for the faint of heart. You either like them or hate them.

For starters, the router will need to be an actual router that that bridges subnets rather then just a gateway, like most home equipment is. If you don't have that then subnets aren't going to do anything for you.

Next, all of these addresses are going to be NATed at the router/gateway anyway, so you're better off changing to 172.16.x.x or 10.x.x.x addresses and assigning each network it's own block. 172.16.1.0/24, or 10.0.1.0/24, for the computers, and 172.16.2.0/24, or 10.0.1.0/24, for the other devices.

As for network control, setup a RADIUS server and set the wireless network to WPA-Enterprise, and invest in switches that support 802.1x. WPA-Enterprise is easy to setup, and it's rather cheap since RADIUS can be run on a small Linux server. 802.1x switches are much more expensive and complicated.

Subnets are going to cause more trouble than they are worth and are trivial to bypass, and a MAC filter is trivial to get around for anyone that realises what is going on. Even going to 802.1x is going to be a nightmare and require a proper managed switch.

The right way to do this is to secure the information on the server so that only authorised clients can access it as Flying Fox suggests. Only allow domain members to access the shared data and only join the required machines to the domain.

notfred wrote:Only allow domain members to access the shared data and only join the required machines to the domain.

There is no domain, the server is a Windows 7 system.

I'm guessing this guy isn't going to want to spend a bunch of money on infrastructure. Something like MAC filtering might be the most reasonable way to do what's required without incurring lots of cost. It can be bypassed, but most people wouldn't know the first thing about it, which could make it a reasonable solution. We still don't know much about the environment, so it's hard to give very specific recommendations.

just brew it! wrote:Also, what's to stop someone from just plugging a thumbdrive into one of the existing PCs and copying the data? (Is he able to restrict physical access or ensure the screen is locked whenever a trusted employee is not present?)

Windows Vista forward have an option to disable USB storage support via Group Policy.

The three Windows XP machines would need to be upgraded to a business edition of 7, but then that option would be available to fix the part of the physical security issues. Still nothing preventing the theft of the drive out of one of the computers (albeit Windows 7 Ultimate could tackle that with BitLocker).

"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"

notfred wrote:Only allow domain members to access the shared data and only join the required machines to the domain.

There is no domain, the server is a Windows 7 system.

I'm guessing this guy isn't going to want to spend a bunch of money on infrastructure. Something like MAC filtering might be the most reasonable way to do what's required without incurring lots of cost. It can be bypassed, but most people wouldn't know the first thing about it, which could make it a reasonable solution. We still don't know much about the environment, so it's hard to give very specific recommendations.

The (relatively) cheap part can be achieved with Server Essentials, but of course the OP's client may be even cheaper than that. The XP boxen are going to have the USB port problem, assuming we do have that USB port problem.

Also, what about physical security to printers? I assume the business still needs to use paper? How about digital camera/mobile phone taking pictures of screens? How anal do you want to get? Are you treating all your employees (the same people that most companies claim to be the "real assets") like thieves now? Don't treat them like crap.

The Model M is not for the faint of heart. You either like them or hate them.

If you actually want to secure the data properly with a technical solution, that's gonna be expensive for a tiny shop like that, there are too many problems and too many workarounds unless you have serious infrastructure and technical know how. Since you cant realistically do it with tech unless you want to shell out a good portion of money, and most of what you can easily implement can probably be googled around, as mac-filtering, etc, it's a soft problem, with soft solutions.

That is, policy and acceptance from the employees. I.e. taking proprietary information from the systems, should be grounds for dismissal and damages. Eithery they sign it or they dont work there if the client is really anal about it. But keeping people that needs access to the data in their work, not being able to access it and carry it home in some format or another next to impossible. Printed documents, mobile takes a photo of the screen. USB Memories, personal devices, just comitting the information to memory, etc.

Keeping outsiders from getting it, is more easily realised. As is keepign employees that should'nt be able to access the data. The data resides on a servers, the easiest would be to set rights on file system on who can access it. But trying to limit it on a network basis, is probably doomed to fail as far as employees go if they need access for work. This does not account for collusion or an employee helping another employee to access it though.

The owner is a good guy. He works 6 ½ days a week, 10 to 12 hours a day. He is honest and goes out of his way to take care of his customers. This is a car repair garage. The concern is that one of his best mechanics might be thinking of starting his own business. The owner is just concerned that he might take his customer list. No one is big into computers, these are car guys. So he wants to make it more secure if possible for not a whole lot of money. I figured I would change them to a different workgroup and put passwords on the access to the windows 7 machine. I can’t figure out any way to make it real secure as they need access to the customer list to take in cars and bill for the repairs. The usbs are a problem. I thought I saw somewhere that I can secure them on the Windows 7 computer, but I don’t think I can on the xp computers. The router is really just a internet appliance that is pretty much just a gateway. I was just looking for something tricky to thwart computer novices.

Ah, I see. Truecrypt container in a non-network accessible location with a key file, or files, that aren't in the same location as the container. Truecrypt Homepage

1) They aren't going to crack the encryption. They won't have the time or computer power.2) They will need the key file to start the decryption process, and since the key file can be anything, good luck to them figuring out what it is if it's not obvious and they only have the container.

The owner should probably talk it out with the mechanic, and be cool if he say's he is going to leave. There is less chance of him stealing the client list if the guy is being cool about it.

Flatland_Spider wrote:Ah, I see. Truecrypt container in a non-network accessible location with a key file, or files, that aren't in the same location as the container. Truecrypt Homepage

1) They aren't going to crack the encryption. They won't have the time or computer power.2) They will need the key file to start the decryption process, and since the key file can be anything, good luck to them figuring out what it is if it's not obvious and they only have the container.

The owner should probably talk it out with the mechanic, and be cool if he say's he is going to leave. There is less chance of him stealing the client list if the guy is being cool about it.

The staff presumably needs to access the client list during the work day. Does this mean the owner is going to open shop each day, decrypt the stuff for the day, and then turn off the computer every night? Besides, if the mechanic is determined to "steal" the customer list, there are other ways of doing that. Like actually talking to the customers (he works on their cars, right?).

The Model M is not for the faint of heart. You either like them or hate them.